Install an external admission controller
I manage several k8s clusters and have been experimenting with LKE for a client. For the application I have several mutating admission controllers. One of these I run on a google cloud function endpoint for decrypting secrets using berglas.
On a GCP k8s or a self-managed cluster these instructions work fine: https://github.com/GoogleCloudPlatform/berglas/tree/main/examples/kubernetes. A GCP cloud function is deployed and that endpoint is used in a
MutatingWebhookConfiguration as a
AFAICT this does not work. My cloud function never receives a
AdmissionReview request from LKE.
So I pulled up my sleeves, and wrote some additional Go + helm to:
- use cert-manager to create a self-signed cert
- save cert to secret
- use cert-manager cainjector to inject the cert into the MutatingWebhookConfiguration
- create dockerfile + deployment for berglas admission mutation webhook
- attach the certificate secret to the berglas webhook deployment as a volume
- use the certificate to start a TLS webhook
- install the webhook into the LKE cluster
That works! So appears that using a
clientConfig that targets an endpoint in the cluster-- that works fine. cert-manager and other apps do this, and I was able to get it to work myself. However, a
clientConfig.url that targets an endpoint that is not inside the cluster and is hosted at an external location does not seem to work.
I didn't see any documentation on this, so this left me wondering if this behavior is expected.